Skip to content

Commit

Permalink
feat: Improved TLS configuration (#570)
Browse files Browse the repository at this point in the history 
This adds specialized features to choose between tls roots and tls pki roots. Refer to the cargo toml features.
  • Loading branch information
@SvenKeimpema
SvenKeimpema authored Sep 5, 2024
1 parent da2dddf commit 4ebde7b
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 10 deletions.
12 changes: 7 additions & 5 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ include = [
]

[features]
default = []
default = ["tls-roots"]

## Feature that enables support for the [actix framework](https://actix.rs/).
actix = ["credentials", "oidc", "dep:actix-web"]
Expand Down Expand Up @@ -53,6 +53,9 @@ api-settings-v2 = ["api-common", "zitadel-settings-v2" ]
api-user-v2 = ["api-common", "zitadel-user-v2" ]
api-common = ["dep:prost", "dep:prost-types", "dep:tonic", "dep:tonic-types", "dep:pbjson-types" ]

tls-roots = ["tonic/tls-roots"]
tls-webpki-roots = ["tonic/tls-webpki-roots"]


## Feature that enables support for the [axum framework](https://docs.rs/axum/latest/axum/).
axum = ["credentials", "oidc", "dep:axum", "dep:axum-extra"]
Expand Down Expand Up @@ -87,7 +90,7 @@ rocket = ["credentials", "oidc", "dep:rocket"]
# @@protoc_deletion_point(features)
# This section is automatically generated by protoc-gen-prost-crate.
# Changes in this area may be lost on regeneration.
proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-auth-v1","zitadel-authn-v1","zitadel-change-v1","zitadel-event-v1","zitadel-feature-v1","zitadel-feature-v2","zitadel-feature-v2beta","zitadel-idp-v1","zitadel-idp-v2","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-metadata-v1","zitadel-milestone-v1","zitadel-object-v2","zitadel-object-v2beta","zitadel-object-v3alpha","zitadel-oidc-v2","zitadel-oidc-v2beta","zitadel-org-v1","zitadel-org-v2","zitadel-org-v2beta","zitadel-policy-v1","zitadel-project-v1","zitadel-protoc_gen_zitadel-v2","zitadel-quota-v1","zitadel-resources-action-v3alpha","zitadel-resources-object-v3alpha","zitadel-resources-webkey-v3alpha","zitadel-session-v2","zitadel-session-v2beta","zitadel-settings-object-v3alpha","zitadel-settings-v1","zitadel-settings-v2","zitadel-settings-v2beta","zitadel-system-v1","zitadel-text-v1","zitadel-user-schema-v3alpha","zitadel-user-v1","zitadel-user-v2","zitadel-user-v2beta","zitadel-user-v3alpha","zitadel-v1","zitadel-v1-v1"]
proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-auth-v1","zitadel-authn-v1","zitadel-change-v1","zitadel-event-v1","zitadel-feature-v1","zitadel-feature-v2","zitadel-feature-v2beta","zitadel-idp-v1","zitadel-idp-v2","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-metadata-v1","zitadel-milestone-v1","zitadel-object-v2","zitadel-object-v2beta","zitadel-object-v3alpha","zitadel-oidc-v2","zitadel-oidc-v2beta","zitadel-org-v1","zitadel-org-v2","zitadel-org-v2beta","zitadel-policy-v1","zitadel-project-v1","zitadel-protoc_gen_zitadel-v2","zitadel-quota-v1","zitadel-resources-action-v3alpha","zitadel-resources-object-v3alpha","zitadel-resources-user-v3alpha","zitadel-resources-userschema-v3alpha","zitadel-resources-webkey-v3alpha","zitadel-session-v2","zitadel-session-v2beta","zitadel-settings-object-v3alpha","zitadel-settings-v1","zitadel-settings-v2","zitadel-settings-v2beta","zitadel-system-v1","zitadel-text-v1","zitadel-user-v1","zitadel-user-v2","zitadel-user-v2beta","zitadel-v1","zitadel-v1-v1"]
"zitadel-action-v1" = ["zitadel-v1"]
"zitadel-admin-v1" = ["zitadel-event-v1","zitadel-idp-v1","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-milestone-v1","zitadel-org-v1","zitadel-policy-v1","zitadel-settings-v1","zitadel-text-v1","zitadel-v1","zitadel-v1-v1"]
"zitadel-app-v1" = ["zitadel-v1"]
Expand Down Expand Up @@ -119,6 +122,8 @@ proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-a
"zitadel-quota-v1" = []
"zitadel-resources-action-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
"zitadel-resources-object-v3alpha" = ["zitadel-object-v3alpha"]
"zitadel-resources-user-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
"zitadel-resources-userschema-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
"zitadel-resources-webkey-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
"zitadel-session-v2" = ["zitadel-object-v2","zitadel-v1"]
"zitadel-session-v2beta" = ["zitadel-object-v2beta","zitadel-v1"]
Expand All @@ -128,11 +133,9 @@ proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-a
"zitadel-settings-v2beta" = ["zitadel-object-v2beta"]
"zitadel-system-v1" = ["zitadel-feature-v1","zitadel-instance-v1","zitadel-member-v1","zitadel-quota-v1","zitadel-v1"]
"zitadel-text-v1" = ["zitadel-v1"]
"zitadel-user-schema-v3alpha" = ["zitadel-object-v2"]
"zitadel-user-v1" = ["zitadel-v1"]
"zitadel-user-v2" = ["zitadel-object-v2"]
"zitadel-user-v2beta" = ["zitadel-object-v2beta"]
"zitadel-user-v3alpha" = ["zitadel-object-v2"]
"zitadel-v1" = []
"zitadel-v1-v1" = ["zitadel-authn-v1","zitadel-idp-v1","zitadel-management-v1","zitadel-org-v1","zitadel-v1"]
# @@protoc_insertion_point(features)
Expand Down Expand Up @@ -163,7 +166,6 @@ tokio = { version = "1.37.0", optional = true, features = [
] }
tonic = { version = "0.12.1", features = [
"tls",
"tls-roots",
], optional = true }
tonic-types = { version = "0.12.1", optional = true }

Expand Down
20 changes: 15 additions & 5 deletions src/api/clients.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ use std::error::Error;
use custom_error::custom_error;
use tonic::codegen::{Body, Bytes, InterceptedService, StdError};
use tonic::service::Interceptor;

use tonic::transport::{Channel, ClientTlsConfig, Endpoint};

#[cfg(feature = "interceptors")]
Expand Down Expand Up @@ -284,19 +285,28 @@ where
}

async fn get_channel(api_endpoint: &str) -> Result<Channel, ClientError> {
let mut tls_config = ClientTlsConfig::default().assume_http2(true);

#[cfg(feature = "tls-roots")]
{
tls_config = tls_config.with_native_roots();
}

#[cfg(feature = "tls-webpki-roots")]
{
tls_config = tls_config.with_enabled_roots();
}

Endpoint::from_shared(api_endpoint.to_string())
.map_err(|_| ClientError::InvalidUrl)?
.tls_config(
ClientTlsConfig::default()
.assume_http2(true)
.with_native_roots(),
)
.tls_config(tls_config)
.map_err(|_| ClientError::TlsInitializationError)?
.connect()
.await
.map_err(|_| ClientError::ConnectionError)
}


#[cfg(test)]
mod tests {
use super::*;
Expand Down

0 comments on commit 4ebde7b

Please sign in to comment.